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Introduction 


Facebook, Inc. and the Federal Trade Commission (FTC) entered into Agreement 
Containing Consent Order File No: 0923184 (“the Order”), which was served on August 15, 
2012. 

Part IV of the Order requires Facebook to establish and implement, and thereafter 
maintain, a comprehensive privacy program that is reasonably designed to (1) address 
privacy risks related to the development and management of new and existing products and 
services for consumers, and (2) protect the privacy and confidentiality of covered 
information. 

Part V of the Order requires Facebook to obtain initial and biennial assessments and reports 
(“Assessments”) from a qualified, objective, independent third-party professional, who uses 
procedures and standards generally accepted in the profession. Facebook engaged 
PricewaterhouseCoopers LLP (“PwC”) to perform the independent assessment. 

As described on pages 6-14, Facebook established its privacy program by implementing 
privacy controls to meet or exceed the protections required by Part IV of the Order. As 
described on pages 15-18, PwC performed inquiry, observation, and inspection/examination 
procedures to assess the effectiveness of the Facebook privacy controls implemented to 
meet or exceed the protections required by Part IV of the Order during the two years ended 
February 11, 2017, and our conclusions are on pages 4-5. 
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Report of Independent Accountants 


To the Management of Facebook, Inc.: 

We have examined Management’s Assertion, that for the two years ended February 11, 2017 
(the “Reporting Period”), in accordance with Parts IV and V of the Agreement Containing 
Consent Order (the “Order”) with an effective date of service of August 15, 2012, between 
Facebook, Inc. (“Facebook” or “the Company”) and the United States of America, acting upon 
notification and authorization by the Federal Trade Commission (“FTC”), the Company had 
established and implemented a comprehensive Privacy Program (“the Facebook Privacy 
Program”), as described in Management’s Assertion, based on Company-specific criteria, and 
the privacy controls were operating with sufficient effectiveness to provide reasonable 
assurance to protect the privacy of covered information and that the controls have so operated 
throughout the Reporting Period. 

Note that during the Reporting Period, Facebook made acquisitions. As part of its acquisition 
process, the Company assesses whether the operations and technology of an acquired entity 
will be integrated with the Company or if it will remain independently operated. As the scope 
of the Order requires a comprehensive privacy program for Facebook, Inc., any independently 
operated affiliates were not included in the assessment of the Facebook Privacy Program. The 
products and services of Facebook, Inc., subject to the scope and assessment, are those 
generally available through Facebook’s websites, facebook.com or rn.facebook.com and/or 
Facebook’s mobile applications. 

The Company’s management is responsible for the assertion. Our responsibility is to express 
an opinion based on our examination. 

Our examination was conducted in accordance with attestation standards established by the 
American Institute of Certified Public Accountants and accordingly, included examining, on 
a test basis, evidence supporting the effectiveness of the Facebook Privacy Program as 
described above and performing such other procedures as we considered necessary in the 
circumstances. We believe that our examination provides a reasonable basis for our opinion. 

We are not responsible for Facebook’s interpretation of, or compliance with, information 
security or privacy-related laws, statutes, and regulations applicable to Facebook in the 
jurisdictions within which Facebook operates. We are also not responsible for Facebook’s 
interpretation of, or compliance with, information security or privacy-related self-regulatory 
frameworks. Therefore, our examination did not extend to the evaluation of Facebook’s 
interpretation of or compliance with information security or privacy-related laws, statutes, 
regulations, and privacy-related self-regulatory frameworks with which Facebook has 
committed to comply. 

In our opinion, Facebook’s privacy controls were operating with sufficient effectiveness to 
provide reasonable assurance to protect the privacy of covered information and that the 
controls have so operated throughout the Reporting Period, in all material respects for the 
two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in 
Management’s Assertion. 
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This report is intended solely for the information and use of the management of Facebook 
and the United States Federal Trade Commission and is not intended to be and should not be 
used by anyone other than these specified parties. 


f/u ce 


MS 


San Jose 
April 12, 2017 
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Facebook’s Privacy Program Overview 

Introduction 

Facebook, Inc. (herein referred to as “Facebook” or “the Company”) is a publicly traded U.S. 
company headquartered in Menlo Park, California. Established in February 2004, the 
Company aims to make the world more open and connected. People use Facebook to stay 
connected with their friends, family, and interests, to express what matters to them to the 
people they care about, and to build communities to share ideas. Developers use our 
Platform to build applications (“apps”) and websites that integrate with Facebook to reach 
our global network of users and to build products and services that are more personalized, 
social, and engaging. In doing so, people entrust us with information when they use our 
services. 

Facebook integrates privacy considerations into the creation of our product and business 
plans, and we constantly evaluate our services and privacy program (“Privacy Program”) to 
account for evolving risks and to help ensure that the people who use our services 
understand the experience. For instance, Facebook’s ad preferences allows users to, among 
other things, provide feedback on the ads they see and to control whether their own image 
appears in connection with social ads. We have a dedicated team of product managers and 
engineers who support ad preferences, and we continuously develop new ways to enhance 
our ads transparency and control features. In addition, within the past two years, we have: 
updated our Privacy Basics and About Facebook Ads webpages with user-friendly modules 
that clearly explain how we target ads and direct the user to controls where they can decide 
how their information is used in relation to ads. We also have updated our cookies policy to, 
among other things, explain our use of cookies in a way that is easy to understand, and we 
rolled out new tools that allow users to control how data collected about their interests on 
Facebook is used for ads outside the Facebook platform. 

Facebook also recognizes how helpful and important supplemental privacy-related 
information has been to people who use other parts of the Facebook Services. As such, we 
recently revised the Privacy Basics feature to update and expand information about how 
users can use available tools and control their privacy preferences. We updated Privacy 
Basics based on user feedback, with the goal of making it easy for users to find information 
about protecting their privacy. The current version of Privacy Basics offers improved 
functionality, features a “Top Topics” section which answers frequently asked questions 
about privacy and security, and includes 32 interactive guides that are available in 44 
languages. 

Since Facebook submitted its 2015 Privacy Program Overview, we also have continued to 
build out teams that focus on specific areas of our Privacy Program. These include our 
Security Policy, Risk, and Compliance and Data Access teams, HR teams that manage the 
onboarding of employees, and IT teams that manage how we track assets. This in turn 
allows us to continually evaluate the effectiveness of our controls, alongside the reviews and 
tests conducted by our independent assessor PricewaterhouseCoopers LLP (“PwC”). 

This Privacy Program Overview describes the scope and background of Facebook’s Privacy 
Program and the procedures developed to ensure we achieve our privacy objectives. The 
accompanying report submitted by PwC provides additional details on these controls and 
the results of the rigorous tests performed in connection with this assessment. 


Use or disclosure of data contained on this page is subject to the restriction on the title page of this report. 
Page 6 of 54 HIGHLY CONFIDENTIAL 



facebook 


Background and Scope of the Privacy Program 

Facebook designed the Privacy Program to accomplish two primary objectives: (a) to 
address privacy risks related to the development, management, and use of new and existing 
products, and (b) to protect the information Facebook receives from or about users. 
Facebook’s Privacy Program is defined by eight assertions inspired by the Generally 
Accepted Privacy Principles (“GAPP”) framework, set forth by the American Institute of 
Certified Public Accountants (“AICPA”). In particular, Facebook’s assertions include the 
following: 

A. Responsibility for the Facebook Privacy Program: Facebook has 
designated an employee or employees to coordinate and be responsible for the 
privacy program. 

B. Privacy Risk Assessment: Facebook has identified reasonably foreseeable, 
material risks, both internal and external, that could result in Facebook’s 
unauthorized collection, use, or disclosure of covered information and an 
assessment of the sufficiency of any safeguards in place to control these risks. This 
privacy risk assessment includes consideration of risks in areas of relevant 
operations, including, but not limited to: (1) employee training and management, 
including training on the requirements of this order, and (2) product design, 
development, and research. 

C. Privacy and Security Awareness: Facebook has a privacy and security 
awareness program in place which is defined and documented in privacy and 
security for privacy policies. The extent of communications to employees is based on 
their role and responsibility and may include internal communications through 
various channels and training. 

D. Transparency, Consent, Access, Use, and Deletion: Facebook provides 
notices and other informational materials about its privacy policies and procedures, 
and about its terms of service. These materials explain the purposes for which 
covered information is collected, used, and deleted and describe the choices 
available to users. Facebook obtains consent for such practices. Facebook has 
implemented controls, including a Privacy Cross-Functional (“XFN”) process, to 
ensure that it only collects and uses covered information for the purposes identified 
in the notices and provides users with access to their covered information for review 
and update. Facebook retains covered information for as long as necessary to 
provide services or fulfil the stated purposes, or as required by law or regulations, 
and thereafter appropriately disposes of such information. 

E. Security for Privacy: Facebook protects covered information of users against 
unauthorized access. 

F. Third-Party Developers: Facebook discloses covered information to third- 
party developers only for the purposes identified in the notices and with the 
implicit or explicit consent of the individual. 
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G. Service Providers: Facebook has developed and used reasonable steps to 
select and retain service providers capable of appropriately protecting the 
privacy of covered information they receive from the Company and requiring 
service providers, by contract, to implement and maintain appropriate privacy 
protections for such covered information. 

H. Ongoing Monitoring of the Privacy Program: Facebook evaluates and adjusts 
the Company’s privacy program in light of the results of monitoring activities, any 
material changes to the Company's operations or business arrangements, or any 
other circumstances that the Company knows or has reason to know may have a 
material impact on the effectiveness of its privacy program. 

As discussed further below, Facebook has implemented numerous procedures (“controls”) 
to achieve and effectuate these objectives. This includes assessing impact on the Privacy 
Program from acquisitions and new or updated products and services. For example, the 
Privacy Governance Team, as well as other privacy experts from across the company, 
convene to discuss privacy risks associated with newly acquired companies. Likewise, new 
Facebook products or features incorporating newly acquired technology are routinely 
reviewed by the Privacy XFN team. 

Privacy Program Operations and Control Activities 

Facebook has identified 44 controls to support the above-listed assertions. This section 
provides a summary of some of the processes Facebook implements to ensure that we 
achieve each of our privacy objectives. 

(b)(3):6(f),(b)(4) 


A. Responsibility for the Facebook Privacy Program 

Facebook has designated a team of employees who are directly responsible for the Facebook 
Privacy Program (the “Privacy Governance Team”). The Privacy Governance Team is 
responsible for reviewing company-wide privacy decisions, including product decisions and 
establishing, communicating and monitoring relevant control policies and procedures. 
These policies and procedures are reviewed periodically and updated as needed. 

The team members include: 

• Vice President and Chief Privacy Officer 

• Vice President and Deputy General Counsel 

• Vice President, Global Public Policy 

• Vice President, International and Policy Communications 

• Chief Marketing Officer 
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• Chief Security Officer 

• Head of the Privacy Program, who coordinates the initiatives of the Privacy Program 
Management team. 

The Privacy Governance Team and many employees (including engineers, product 
managers, security experts [discussed further infra at Part E], product and privacy lawyers, 
and representatives from the public policy privacy team) are responsible for various aspects 
of the Privacy Program and play a crucial role driving and implementing decisions of the 
Privacy Governance Team. 

Of particular note are the Privacy Program Managers, who play a critical role in the 
functioning of the Privacy Program. The Privacy Program Managers work closely with the 
product organization and are responsible for: (1) engaging closely with Legal, Policy, and 
other members of the Privacy XFN Team to drive privacy decisions; (2) coordinating 
privacy reviews and presenting privacy issues to the Privacy XFN Team; (3) coordinating 
any necessary escalations to the Privacy Governance Team, and (4) maintaining records of 
privacy decisions and completed implementation reviews. The Privacy Legal, Policy, and 
Privacy Program Management teams work closely with relevant stakeholders throughout 
Facebook to regularly (a) assess compliance with established privacy controls; (b) improve 
design and operation of privacy controls; and (c) evaluate and document privacy risks, as 
discussed further below. 

B. Privacy Risk Assessment 

A central aspect of Facebook’s Privacy Program is a continuous assessment of privacy risks. 
In our privacy risk assessment, Facebook identifies reasonably foreseeable, material risks, 
both internal and external, that could result in Facebook’s unauthorized collection, use, or 
disclosure of covered information, and assesses the sufficiency of any safeguards in place to 
control these risks. As part of this process, members of the Privacy Governance Team 
consider risks in relevant areas of Facebook’s operations. These areas include governance, 
product design, engineering (including product development and research), community 
operations (including third-party developers), advertising, service providers, employee 
awareness and training, employee management, and security. Through this process, 
Facebook has documented reasonably foreseeable material risks to user privacy, and has 
put in place reasonable privacy processes and controls to address those risks. 

Facebook has implemented numerous avenues through which relevant stakeholders can 
identify, assess, and remediate risk. For example, members of the Privacy XFN Team assess 
risks and controls on an ongoing basis through focused subject-matter-specific discussions 
and weekly intra- and inter-team meetings, such as weekly privacy meetings and bi-weekly 
product and regulatory updates. Likewise, Facebook’s privacy team works to identify, 
discuss, and assess compliance with privacy policies and procedures as well as applicable 
laws and regulations. This cross-functional and collaborative effort that allows Facebook to 
continually evaluate and adjust the Privacy Program in light of the results of testing and 
monitoring of the program, as well as other relevant circumstances. 
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C. Privacy and Security Awareness 

Facebook communicates Privacy and Security awareness matters to new and existing 
employees, agency workers, and vendors, and tailors such communications according to the 
audience’s applicable role and responsibility. For example, upon hiring all new employees 
must complete a privacy and security awareness training, while all existing employees are 
required to complete the privacy training biennially. This training covers, among other 
things, (l) an overview of applicable privacy laws and other privacy commitments (such as 
Facebook’s obligations under the Consent Order); (2) Facebook’s policies with respect to 
accessing covered information; (3) common security vulnerabilities, and strategies for 
avoiding them; (4) the importance of privacy by design; and (5) resources employees can 
contact for additional information and to answer questions. During the training, Facebook 
employees are quizzed on their understanding of Facebook’s privacy practices, and they do 
not receive credit for the training until they receive a passing score. Facebook has a team 
that is responsible for assigning the training, reporting on compliance, and maintaining a 
schedule of escalations in case an employee fails to complete the training. 


Above and beyond the controls tested as part of the privacy assessment, Facebook provides 
additional training material to key stakeholders who have access to covered information. 
Key stakeholders include: new project managers, product managers and engineers. 



Facebook provides notice of its privacy policy and practices and implements robust 
procedures to ensure that the privacy polices comply with the choice, collection, and access 
principles described therein. More specifically, Facebook’s Data Policy - which all users 
must agree to upon signing up to receive our services and which is always available and 
readily locatable to users across platforms - describes the types of data collected, the 
purposes for which it is used, and the parties with whom it is shared, among other things. 
Facebook amended the Data Policy to make it easier for people to read and understand, and 
implemented Privacy Basics and new content in the Facebook Help Center to provide 
additional privacy tools and education. 

Facebook also offers multiple tools that help users access, delete, and edit information as 
described in the Data Policy. For example, Facebook allows users to select an audience for 
their content through various tools, such as account settings and in-line privacy controls. 
Likewise, Facebook’s Activity Log allows users to review, update, delete or correct 
information they have previously provided, while the Download Your Information tool 
allows users to create a downloadable archive of their activity. 
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The controls and protections discussed in Sections E, F, and G below, outline a range of 
controls and protections used to ensure that data is accessed, stored, and shared in 
accordance with Facebook’s Data Policy. 


E. Security for Privacy 

The Facebook Security team is led by the Chief Security Officer (“CSO”) and the team is 
responsible for developing and maintaining security policies, enforcing security operations, 
and monitoring technical security aspects within the Company. The CSO is supported by 
Security leadership with dedicated teams focusing on Product Security; Detection and 
Incident Response; Security Policy, Risk, and Compliance; Foundation Security; Dedicated 
Security Partners; and Security Programs and Operations. 

Given that Facebook protects the data of over 1.7 billion people, security is critical to our 
operations and success. As with the controls described above, Facebook’s security program 
has developed significantly since the inception of the Privacy Program to address evolving 
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internal and external threats. For example, Facebook has completed several assessments - 
all conducted by independent professionals - under the SOC3 and the Payment Card 
Industiy (“PCI”) standards. These assessments, which cover a wide range of Facebook’s 
services above and beyond those tested as part of the PwC’s independent assessment, verify 
that the technical, physical, and administrative security controls designed to protect covered 
information from unauthorized access, as well as those designed to prevent, detect, and 
respond to security threats and vulnerabilities, are functioning properly. 

(b)(3):6(f),(b)(4) 
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F. Third-Party Developers 

Platform applications and developers are required to comply with, and are subject to, 
Facebook’s Statement of Rights and Responsibilities, Platform Principles, and Platform 
Policies. These terms and policies outline a variety of privacy obligations and restrictions, 
such as limits on a third-party application’s use of data received through Facebook, 
requirements that an application obtain consent for certain data uses, and restrictions on 
sharing covered information. Facebook’s Platform privacy settings and Granular Data 
Permissions (“GDP”) process allow users to control the transfer of covered information 
from Facebook to third-party applications. 

G. Service Providers 

Facebook has implemented controls with respect to third-party service providers, including 
implementing policies to select and retain service providers capable of appropriately 
protecting the privacy of covered information received from Facebook. 

(b)(3):6(f), (b)(4) 
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Facebook’s Privacy Program has built-in procedures to evaluate and adjust the Privacy 
Program in light of testing and monitoring results, as well as other relevant circumstances. 
As mentioned above, Facebook’s privacy team works to identify, discuss, and assess 
compliance with privacy policies and procedures as well as applicable laws and regulations. 
Additionally, the Privacy Governance Team regularly discusses the Privacy Program in the 
context of various product and operational considerations. During these discussions, the 
team considers and reviews the effectiveness and efficiency of the Privacy Program and, 
when appropriate, makes adjustments to maintain the program’s strength. 

(b)(3):6(f),(b)(4) 
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PwC’s Privacy Assessment Approach 


PwC’s Assessment Standards 

Part V of the Order requires that the Assessments be performed by a qualified, objective, 
independent third-party professional, who uses procedures and standards generally 
accepted in the profession. This report was issued by PwC under professional standards 
which meet these requirements. 

As a public accounting firm, PwC must comply with the public accounting profession’s 
technical and ethical standards, which are enforced through various mechanisms created by 
the American Institute of Certified Public Accountants (“AICPA”). Membership in the 
AICPA requires adherence to the Institute’s Code of Professional Conduct. The AICPA's 
Code of Professional Conduct and its enforcement are designed to ensure that CPAs who are 
members of the AICPA accept and achieve a high level of responsibility to the public, clients, 
and colleagues. The AICPA Professional Standards provide the discipline and rigor 
required to ensure engagements performed by CPAs consistently follow specific General 
Standards, Standards of Fieldwork, and Standards of Reporting (“Standards”). 

In order to accept and perform this FTC assessment (“engagement”), the Standards state 
that PwC, as a practitioner, must meet specific requirements, such as the following. 

General Standards: 

• Have reason to believe that the subject matter is capable of evaluation against 
criteria that are suitable and available to users. Suitable criteria must be free from 
bias (objective), permit reasonably consistent measurements, qualitative or 
quantitative, of subject matter (measurable), be sufficiently complete so that those 
relevant factors that would alter a conclusion about subject matter are not omitted 
(complete), and be relevant to the subject matter; 

• Have adequate technical training and proficiency to perform the engagement; 

• Have adequate knowledge of the subject matter; and 

• Exercise due professional care in planning and performance of the engagement and 
the preparation of the report. 

Standards of Fieldwork: 

• Adequately plan the work and properly supervise any assistants; and 

• Obtain sufficient evidence to provide a reasonable basis for the conclusion that is 
expressed in the report. 

Standards of Reporting: 

• Identify the assertion being reported on in the report; and 

• State the practitioner's conclusion about the assertion in relation to the criteria. 

In performing this assessment, PwC complied with all of these Standards. 
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Independence 

The Standards also require us to maintain independence in the performance of professional 
services. Independence requirements fall into five categories: personal financial interests; 
business relationships; employment relationships; prohibited services; prohibition from 
serving in the Company’s management capacity; and independence in mental attitude. In 
summary, relevant individuals must not have personal financial interests in the Company; 
the Company and the Assessor may not have certain business relationships; there are 
restrictions on relationships that may exist between employees performing the assessment 
and employees at the Company or formerly at the Company or at the Assessor firm; there 
are numerous services that cannot be provided by the Assessor to the Company; and the 
Assessor may not act in a management capacity or make any decisions for the Company. 

Further, the Standards require us to maintain independence in mental attitude in all 
matters relating to the engagement. Independence in mental attitude means there is an 
objective consideration of facts, unbiased judgments, and honest neutrality on the part of 
the practitioner in forming and expressing conclusions. We are required to maintain 
intellectual honesty and impartiality necessary to reach an objective and unbiased 
conclusion. 

PwC is independent with respect to the Standards required for this engagement. 

PwC Assessor Qualifications 

PwC assembled an experienced, cross-disciplinary team of PwC team members with 
privacy, assessment, and technology industry expertise to perform the Assessor role for the 
Order. A Partner with more than 21 years of experience providing professional services led 
the engagement and was supported by a partner with more than 27 years of experience 
providing professional services. The assessment was performed by an experienced team of 
ten professionals with a combination of privacy, data protection, information security, 
industry, and assessment experience. The team included Certified Information Privacy 
Professionals (“CIPP”), Certified Information Systems Auditors (“CISA”), and Certified 
Public Accountants (“CPA”). To ensure quality, a Quality Assurance Partner was involved 
as well as Risk Management personnel from PwC’s National Professional Services team. 

PwC’s procedures were performed in four phases over the two year period, incurring over 
4,500 hours. The fieldwork was primarily performed at Facebook’s headquarters in Menlo 
Park, CA. 

PwC Assessment Process Overview 

The procedures performed by PwC were designed to: 

• Assess the applicability of management’s assertion to address the Company’s 
obligations within Part IV of the Order; 

• Assess the design effectiveness of the control activities implemented by the 
Company to address the relevant sections of the management assertion; and 

• Assess the operating effectiveness of the implemented control activities for the two 
years ended February 11, 2017. 


Use or disclosure of data contained on this page is subject to the restriction on the title page of this report. 
Page 16 of 54 HIGHLY CONFIDENTIAL 


pwc 


PwC designed and performed test procedures to evaluate the design effectiveness and 
operating effectiveness of the control activities implemented by Facebook for the two years 
ended February 11, 2017. 

The nature of PwC’s testing was dependent on each control, and PwC developed a test plan 
based on our understanding of the risk, complexity, extent of judgment and other factors. 
PwC used a combination of inquiry, observation and/or inspection for testing of the 
controls. Refer below for a description of the test procedures utilized by PwC: 

Inquiry: To understand the design of the controls implemented and how they 
operate to meet or exceed the protections required by Part IV of the Order, PwC had 
discussions with Facebook personnel. The inquiry procedures included asking 
Facebook personnel about relevant controls, policies and procedures, as well as roles 
and responsibilities. To validate the information obtained in the discussions, PwC 
performed corroborative inquiry procedures with multiple individuals and, using the 
testing techniques below, obtained additional evidence to validate the responses. 

Observation: PwC utilized the observation testing method to validate the design and 
operating effectiveness of controls. In areas where Facebook has implemented 
controls that meet or exceed the protections required by Part IV of the Order, the 
PwC team met with relevant Facebook personnel and observed how the control is 
designed and how it functions. 

Examination or inspection of evidence: PwC used the examination and/or inspection 
test approach to validate the operating effectiveness of controls and to evaluate the 
sufficiency of controls implemented to address Part IV of the Order. PwC inspected, 
physically or online, artefacts and documents (including documentation of the 
company’s policies and procedures, risk assessment, training, and awareness 
programs) to evidence the design and operating effectiveness of the controls and 
safeguards implemented. The nature of the evidence examined varied from control 
to control and, where appropriate, other procedures like observation and inquiry 
were utilized to confirm the results of the examination procedures. 

To assess design effectiveness, PwC performed walkthroughs of the processes and controls 
to determine whether the controls were built to achieve the intended assertions as well as to 
determine whether the controls had been placed into operation. To perform a walkthrough, 
PwC met with relevant Facebook control owners. Additionally, during the design 
assessment, PwC assessed whether the persons performing the controls possessed the 
necessary authority and competence to perform the controls effectively. Our design 
effectiveness test procedures included performing a combination of inquiry, observation, 
and/or inspection/ examination. 

To assess operating effectiveness, PwC performed procedures to determine whether 
controls were executed by Facebook (or Facebook’s systems if automated) on a regular 
frequency and whether documentation and/or support was maintained to evidence the 
controls’ execution. Our operating effectiveness test procedures included, where 
appropriate, selecting samples from throughout the period and performing a combination 
of inquiry, observation, and/or inspection/ examination procedures to evaluate the 
effectiveness of the Facebook control activities documented on pages 22-57 of this 
document. 
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Over the course of the reporting period, PwC performed procedures that included 
interviewing individuals from Privacy, Privacy Program Management, Public Policy, Legal, 
Security, Community Operations, Platform, Developer Operations, Infrastructure, 
Information Technology Operations Logistics, Communications, Marketing, Product 
Teams, and Human Resources. Test plans for each control activity tested are also included 
on pages 22-51 of this document. See Appendix A for a summary of interviewees. 


Use or disclosure of data contained on this page is subject to the restriction on the title page of this report. 
Page 18 of 54 HIGHLY CONFIDENTIAL 


pwc 


PwC’s Assessment of Part IV A, B, C, D and E, of 
the Order 

The tables in section “Facebook’s Privacy Program: Assertions, Control Activities and PwC’s 
Tests Performed and Results” of this report describe the scope of Facebook’s Privacy 
Program referenced in the Management Assertion on pages 52-53. Facebook established its 
privacy program by implementing privacy controls to meet or exceed the protections 
required by Part IV of the Order. The table also includes PwC’s inquiry, observation, and 
inspection/examination test procedures to assess the effectiveness of Facebook’s program 
and test results. PwC’s final conclusions are detailed on pages 4-5 of this document. 

A. Set forth the specific privacy controls that respondent has implemented and 
maintained during the reporting period. 

As depicted within the table on pages 22-51, Facebook has listed the privacy controls that 
were implemented and maintained during the reporting period. 

B. Explain how such privacy controls are appropriate to respondent’s size and 
complexity, the nature and scope of respondent’s activities, and the sensitivity 
of the covered information. 

Based on the size and complexity of the organization, the nature and scope of Facebook’s 
activities, and the sensitivity of the covered information (as defined in by the Order), 
Facebook management developed the company-specific criteria (assertions) detailed on 
pages 52-53 as the basis for its Privacy Program. The management assertions and the 
related control activities are intended to be implemented to address the risks identified by 
Facebook’s privacy risk assessment. 

C. Explain how the privacy controls that have been implemented meet or 
exceed the protections required by Part IV of the Order. 

As summarized in the Facebook’s Privacy Program on pages 6-14, Facebook has 
implemented the following protections: 

A. Designation of an employee or employees to coordinate and be responsible for 

the privacy program. 

As described above, Facebook has designated a team of employees to coordinate and 
be responsible for the Privacy Program as required by Part IV of the Order. As 
described on pages 22-23 (Management’s Assertion A), PwC performed test 
procedures to assess the effectiveness of the Facebook privacy controls implemented 
to meet or exceed the protections required by Part IV of the Order. 

B. The identification of reasonably foreseeable, material risks, both internal and 

external, that could result in Respondent’s unauthorized collection, use, or 

disclosure of covered information and an assessment of the sufficiency of any 

safeguards in place to control these risks. At a minimum, this privacy risk 
assessment should include consideration of risks in each area of relevant operation. 
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including, but not limited to: (l) employee training and management, including 

training on the requirements of this order, and (2) product design, development. 

and research. 


As described above, Facebook has identified reasonably foreseeable, material risks, 
both internal and external, that could result in Facebook’s unauthorized collection, 
use, or disclosure of covered information, and assessed the sufficiency of any 
safeguards in place to control these risks as required by Part IV of the Order. As 
described on page 24 (Management’s Assertion B), PwC performed test procedures 
to assess the effectiveness of the Facebook privacy controls implemented to meet or 
exceed the protections required by Part IV of the Order. 

C. The design and implementation of reasonable controls and procedures to address 

the risks identified through the privacy risk assessment, and regular testing or 

monitoring of the effectiveness of those controls and procedures. 

As described above, Facebook has designed and implemented reasonable controls 
and procedures to address the risks identified through the privacy risk assessment, 
and regular testing or monitoring of the effectiveness of those controls and 
procedures as required by Part IV of the Order. As described on pages 25-44 
(Management’s Assertions C, D, E, and F), PwC performed test procedures to assess 
the effectiveness of the Facebook privacy controls implemented to meet or exceed 
the protections required by Part IV of the Order. 

D. The development and use of reasonable steps to select and retain service 

providers capable of appropriately protecting the privacy of covered information 

they receive from Respondent and requiring service providers, bv contract, to 

implement and maintain appropriate privacy protections for such covered 

information. 


As described above, Facebook has developed and implemented reasonable steps to 
select and retain service providers capable of appropriately protecting the privacy of 
covered information they receive from Facebook as required by Part IV of the Order. 
Facebook also includes terms in contracts with service providers requiring that such 
service providers implement and maintain appropriate privacy protections. As 
described on pages 45-46 (Management’s Assertion G), PwC performed test 
procedures to assess the effectiveness of the Facebook privacy controls implemented 
to meet or exceed the protections required by Part IV of the Order. 

E. The evaluation and adjustment of Respondent’s privacy program in light of the 

results of the testing and monitoring required bv subpart C. anv material changes 

to Respondent’s operations or business arrangements, or any other circumstances 

that Respondent knows or has reason to know may have a material impact on the 

effectiveness of its privacy program. 

As described above, Facebook has evaluated and adjusted its Privacy Program in 
light of the results of the testing and monitoring required by subpart C within Part 
IV of the Order, any material changes to Facebook’s operations or business 
arrangements, or any other circumstances that Facebook knows or has reason to 
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know may have a material impact on the effectiveness of its privacy program as 
required by Part IV of the Order. As described on pages 47-51 (Management’s 
Assertion H), PwC performed test procedures to assess the effectiveness of the 
Facebook privacy controls implemented to meet or exceed the protections required 
by Paragraph IV of the Order. 

D. Certify that the privacy controls are operating with sufficient effectiveness 
to provide reasonable assurance to protect the privacy of covered information 
and that the controls have so operated throughout the reporting period. 

As described in the PwC Assessment Process Overview section above, PwC performed its 
assessment of Facebook’s Privacy Program in accordance with AICPA Attestation 
Standards. Refer to pages 4-5 of this document for PwC’s conclusions. 
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Facebook’s Privacy Program: Assertions, Control Activities and PwC’s 
Tests Performed and Results 

Provided below are the Facebook Privacy Program controls and PwC’s tests performed. Also provided are the results of the testing 
performed by PwC. Finally, additional information has been provided by PwC for the instances in which PwC identified an exception 
during testing. This information is provided in an effort to enhance the FTC’s understanding of the exception. 


Ref. Facebook’s Control Activity 


PwC’s Tests Performed 


PwC’s Test Results Additional Information 


Assertion A - Responsibility for the Facebook Privacy Program 

Facebook has designated an employee or employees to coordinate and be responsible for the privacy program. 


A-i 


Facebook has designated a team of 
employees who are directly 
responsible for the Privacy Program 
(the “Privacy Governance Team”). 
Facebook’s Chief Privacy Officer leads 
the Privacy Governance Team. 

Facebook has defined roles, 
responsibilities and qualifications for 
key positions supporting the privacy 
team, including the Privacy 
Governance Team (responsible for 
coordinating Facebook’s Privacy 
Program) and the Privacy Cross- 
functional Team (“Privacy XFN”) 
(responsible for the product 
development process). 


(b)(3):6(f),(b)(4) 
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Ref. 


Facebook's Control Activity 


PvvC’s Tests Performed 


PwC’s Test Results Additional Information 


Assertion 

Facebookh 


A — Responsibility for the Facebook Privacy Program 

has designated an employee or employees to coordinate and be responsible for the privacy program. 


A-2 

Facebook has designated a team of 
employees who are directly 
responsible for the Information 
Security’ Program (the “Security 
Team”) which closely supports the 
privacy^ program. Facebook’s Chief 


Security’ Officer leads the information 


security team. 


Facebook has defined roles and 
responsibilities for key positions 
supporting the information security 
team (responsible for coordinating 
Facebook’s Security Program). 



Use or disclosure of data contained on this page is subject to the restriction on the title page of this report. 
Page 23 of 54 HIGHLY CONFIDENTIAL 













pwc 


Ref. 

Facebook's Control Activity 

PwC’s Tests Performed PwC’s Test Results 

Additional Information 

Assertion B — Privacy Risk Assessment 

Facebook has identified reasonably foreseeable, m 
covered information and an assessment of the sufi 
in areas of relevant operations, including, but not 
product design, development, and research. 

_r 

aterial risks, both internal and external, that could result in Facebook’s unauthorized cc 
iciency of any safeguards in place to control these risks. This privacy risk assessment in 
limited to: (1) employee training and management, including training on the requireme 

Election, use, or disclosure of 
eludes consideration of risks 
nts of this order, and (2) 

T_ 


B-i 


Facebook holds an annual privacy 
summit (“Privacy Summit”) that 
includes key representatives from the 
Privacy XFN. Attendees of the 
Annual Summit review and update 
the privacy risk assessment (“Risk 
Assessment”), focusing on significant 
material risks identified by the 
Privacy Governance Team. Risks are 
evaluated in light of changing internal 
and external threats, changes in 
operations, and changes in laws and 
regulations. The sufficiency of 
existing controls in addressing 
current and future risks is 
considered; recommendations are 
escalated and changes to the Privacy 
Program are considered. 


(b)(3):6(f),(b)(4) 
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Assertion C - Privacy and Security Awareness 


Facebook has a privacy and security awareness program in place which is defined and documented in privacy and security for privacy policies. The extent of 
communications to employees is based on their role and responsibility and may include internal communications through various channels and training. 



C-i Facebook has defined and 


documented privacy policies, which 
govern its relationship with users 
and others who interact with 
Facebook. The following policies 
are documented and made available 
through various forms (e.g., on the 
w T ebsite / mobile application / 
internal Wiki, for third-party 
applications* and on all in-scope 
platforms and products (e.g., 
Android / iOS). 

• Data Policy 

• Statement of Rights and 
Responsibilities (“Terms”) 

• Platform Policy (Third-Party 
Developer Policies) 

The topics covered within these 
policies include the following: 

• Notice 

• Choice and consent 

• Collection 

• Type and source of information 
collected 

• Use, retention, and deletion 

• Access 

• Disclosure to third parties 

• Security for privacy 

• Monitoring and enforcement 
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Facebook’s Control Activity 


PwC’s Tests Performed 


PwC’sTest Results Additional Information 


Assertion C - Privacy and Security Awareness 

Facebook has a privacy and security awareness program in place which is defined and documented in privacy and security* for privacy policies. The extent of 
communications to employees is based on their role and responsibility and may include internal communications through various channels and training. 


C-7 


(b)(3):6(f),(b)(4) 
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C-8 
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Facebook’s Control Activity 


PwC’s Tests Performed 


PwC’s Test Results Additional Information 


i D — Transparency, Consent, Access, Use, and Deletion 

cebook provides notices and other informational materials about its privacy policies and procedures, and about its terms of service. These materials explain the 
for which covered information is collected, used, and deleted and describe the choices available to users. Facebook obtains consent for such practices, 
has implemented controls, including a Privacy Cross-Functional (“XFN”) process, to ensure that it only collects and uses covered information for the 
purposes identified in the notices and provides users with access to their covered information for review and update. Facebook retains covered information for as long 
necessary to provide services or fulfil the stated purposes, or as required by law or regulations, and thereafter appropriately disposes of such information. 


D-i 


The privacy policies for Facebook 
are: 

• In plain and simple language 

• Appropriately labelled, easy to see, 
and not in unusually small print 

• Available in many languages used 
on the site 

• Describes the companies’ 
operations and the types of 
information covered. 

• Readily accessible and available 
when personal information is first 
collected from the individual 

• Provided in a timely manner (that 
is, at or before the time personal 
information is collected, or as soon 
as practical thereafter) to enable 
individuals to decide whether or not 
to submit personal information 

• Clearly dated to allow individuals to 
determine whether the privacy 
practices have changed since the last 
time they read it or since the last 
time they submitted personal 
information 

• The Data Policy and Terms address 
the use, retention, and deletion of 
user information, as well as the 
deletion and retention of individual 
content. 


(b)(3):6(f),(b)(4) 
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Facebook’s Control Activity 


PwC’s Tests Performed 


PwCsTest Results Additional Information 


Assertion D - Transparency, Consent, Access, Use, and Deletion 

Facebook provides notices and other informational materials about its privacy policies and procedures, and about its terms of service. These materials explain the 
purposes for which covered information is collected, used, and deleted and describe the choices available to users. Facebook obtains consent for such practices. 
Facebook has implemented controls, including a Privacy Cross-Functional (“XFIsT) process, to ensure that it only collects and uses covered information for the 
purposes identified in the notices and provides users with access to their covered information for review and update. Facebook retains covered information for as long 
as necessary to provide services or fulfil the stated purposes, or as required by law or regulations, and thereafter appropriately disposes of such information. 



Use or disclosure of data contained on this page is subject to the restriction on the title page of this report. 
Page 32 of 54 HIGHLY CONFIDENTIAL 








pwc 


Facebook’s Control Activity 


PwC’s Tests Performed 


PwCsTest Results Additional Information 


l D - Transparency, Consent, Access, Use, and Deletion 

cebook provides notices and other informational materials about its privacy policies and procedures, and about its terms of service. These materials explain the 
for which covered information is collected, used, and deleted and describe the choices available to users. Facebook obtains consent for such practices, 
‘acebook has implemented controls, including a Privacy Cross-Functional (“XFN”) process, to ensure that it only collects and uses covered information for the 
purposes identified in the notices and provides users with access to their covered information for review and update. Facebook retains covered information for as long 
necessary to provide services or fulfil the stated purposes, or as required by law or regulations, and thereafter appropriately disposes of such information. 


D-3 


D-4 


At the time of account creation, a 
user consents to sharing certain 
personal information that is part of 
their “Public Profile,” including 
gender, username and user ID 
(account number), profile picture, 
cover photo, network(s), age range, 
language, and countiy. 

By clicking on the ’’Sign Up” button 
after entering this information, the 
user provides explicit consent at the 
time of account creation through 
agreement to the Statement of Rights 
and Responsibilities and 
acknowledgment of the Data Policy. 
The user provides consent for user 
information to be collected and 
chooses to share the information 
with Facebook and to make certain 
information public (i.e., the Public 
Profile). 


Facebook users can often control 
(e.g., via in-line privacy settings and 
account settings) the audience for 
their content (e.g., status updates, 
photos, posts). On most platforms, a 
user is able to select a specific 
audience at the time of posting. 
Facebook does not change the 
audience for a piece of content 
without permission from the poster. 

Note: This does not include instances 
where third parties control the 


(b)(3):6(f),(b)(4) 
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Facebook’s Control Activity 


PwC’s Tests Performed 


PwCsTest Results Additional Information 


l D - Transparency, Consent, Access, Use, and Deletion 

cebook provides notices and other informational materials about its privacy policies and procedures, and about its terms of service. These materials explain the 
for which covered information is collected, used, and deleted and describe the choices available to users. Facebook obtains consent for such practices, 
cebook has implemented controls, including a Privacy Cross-Functional C‘XFN”) process, to ensure that it only collects and uses covered information for the 
rposes identified in the notices and provides users with access to their covered information for review and update. Facebook retains covered information for as long 
as necessary to provide services or fulfil the stated purposes, or as required by law r or regulations, and thereafter appropriately disposes of such information. 


D-5 


audience, such as a user’s comment 
on a public event. 


Facebook users and non-users can 
access and update their personal 
information through various 
methods, unless Facebook terms are 
violated. 


(b)(3):6(f), (b)(4) 
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Facebook’s Control Activity 


PwC’s Tests Performed 


PwCsTest Results Additional Information 


Assertion D - Transparency, Consent, Access, Use, and Deletion 

Facebook provides notices and other informational materials about its privacy policies and procedures, and about its terms of service. These materials explain the 
purposes for which covered information is collected, used, and deleted and describe the choices available to users. Facebook obtains consent for such practices. 
Facebook has implemented controls, including a Privacy Cross-Functional (“XFN”) process, to ensure that it only collects and uses covered information for the 
purposes identified in the notices and provides users with access to their covered information for review and update. Facebook retains covered information for as long 
as necess ary' to provide services or fulfil the stated purposes, or as required by law or regulations, and thereafter appropriately disposes of such information. 
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Facebook's Control Activity 


PwC’s Tests Performed 


PwC’sTest Results Additional Information 


F — Third-Party Dev elopers 

acebook discloses covered information to third-party developers only for the purposes identified in the notices and with the implicit or explicit consent of the 
Lividual. 



F-i 


F-2 


Facebook has the following formal 
policies in place to ensure that 
personal information is disclosed only 
to developers who have agreements 
with Facebook to protect personal 
information in a manner consistent 
with Facebook’s privacy' program: 

• Data Policy, which informs users 
about how information is 
disclosed to applications created 
by developers when a user 
connects to those applications. 

• Facebook’s Platform Policies, 
which provide specific 
instructions and details to 
developers on the handling of 
user information. 

• Terms, which detail specific 
requirements for handling 
personal information and the 
responsibility of the developer to 
disclose a privacy policy’ to end 


Facebook requires developers who 
access public APIs to agree to 
Facebook’s Data Policy, Terms, and 
Platform Policy, w'hich include 
consideration of privacy-related 
requirements such as: 

Purpose of Use 
Restrictions on Use 
Deletion of Data 
No Transfer 
Updates of Data 
Storage 


(b)(3):6(f),(b)(4) 
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Ref. 


Facebook's Control Activity 


PwC’s Tests Performed 


PwCsTest Results Additional Information 


Assertion 

Facebook d 


F — Third-Party Dev elopers 


acebook discloses covered information to third-party developers only for the purposes identified in the notices and with the implicit or explicit consent of the 
individual. 



F-3 

Management has implemented 
mechanisms to ensure that Facebook 
obtains consent from users prior to 
disclosing non-public personal 
information to third-party 
developers. 

Third party developers are limited to 
accessing user information based on 
an appropriate permission list 
consented to by the user. 

F-4 

Facebook requires developers who 
access non-public APIs to agree to 
Facebook’s Data Use Policy, Terms, 
and Platform Policies, which include 
privacy-related requirements such as: 

• Purpose of Use 

• Restrictions on Use 

• Deletion of Data 

• Transfer 

• Storage 

In addition, each non-public API 
request must be specifically approved 
by an authorized Facebook employee. 


(b)(3):6(f),(b)(4) 
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Ref. 

Facebook's Control Activity PvvC’s Tests Performed PwC’s Test Results 

Additional Information 

Assertion G — Service Providers 

Facebook has developed and used reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they 
receive from the Company and requiring service providers, by contract, to implement and maintain appropriate privacy protections for such covered information. 

0-3 

(b)(3) :6(f) .(b)(4) 
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Ref. 


Facebook’s Control Activity 


P^C’s Tests Performed 


PvvC's Test Results 


Additional 

Information 
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Ref. 


Facebook’s Control Activity 


P^C’s Tests Performed 


PwC's Test Results 


Additional 

Information 
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Ref. 

Facebook’s Control Activity 

PwC’s Tests Performed PwC’s Test Results 

Additional 

Information 

Assertion H - Ongoing Monitoring of the Privacy 

Facebook evaluates and adjusts the Company’s privacy pi 
business arrangements, or any other circumstances that t 

Program 

-ogram in light of the results of monitoring activities, any material changes to the Comp 
he Company knows or has reason to know may have a material impact on the effectiver 

any's operations or 
less of its privacy 

H-5 

Facebook holds an annual privacy summit 
(“Privacy Summit") that includes key 
representatives from the Privacy’ XFN. 
Attendees of the Annual Summit review and 
update the privacy risk assessment (“Risk 
Assessment"), focusing on significant 
material risks identified by the Privacy 
Governance Team. Risks are evaluated in 
light of changing internal and external 
threats, changes in operations, and changes 
in laws and regulations. The sufficiency of 
existing controls in addressing current and 
future risks is considered; 
recommendations are escalated and 
changes to the Privacy Program are 
considered. 

(b)(3) :6(f),(b)(4) 
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Ref. 

Facebook’s Control Activity PwC’s Tests Performed PwC’s Test Results 

Additional 

Information 

Assertion H - Ongoing Monitoring of the Privacy Program 

Facebook evaluates and adjusts the Company’s privacy program in light of the results of monitoring activities, any material changes to the Company's operations or 
business arrangements, or any other circumstances that the Company knows or has reason to know may have a material impact on the effectiveness of its privacy 

H-7 

(b)(3):6(f), (b)(4) 
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Management’s Assertion 


The management of Facebook represents that for the two years ended February 11, 2017 (“the 
Reporting Period”), in accordance with Parts IV and V of the Agreement Containing Consent 
Order (“The Order”), with a service date of August 15, 2012, between Facebook, Inc. (“the 
Company”) and the United States of America, acting upon notification and authorization by the 
Federal Trade Commission (“FTC”), the Company had established and implemented a 
comprehensive Privacy Program (“the Facebook Privacy Program”), based on Company specific 
criteria (described in paragraph two of this assertion); and the privacy controls were operating 
with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered 
information and that the controls have so operated throughout the Reporting Period. Note that 
during the Reporting Period, Facebook made acquisitions. As part of its acquisition process, the 
Company assesses whether the operations and technology of an acquired entity will be 
integrated with the Company or if it will remain independently operated. As the scope of the 
Order requires a comprehensive privacy program for Facebook, Inc., any independently 
operated affiliates were not included in the assessment of the Facebook Privacy Program. The 
products and services of Facebook, Inc., subject to the scope and assessment, are those generally 
available through Facebook’s websites, facebook.com or rn.facebook.com and/or Facebook’s 
mobile applications. 

The company specific criteria (“assertions”) used as the basis for Facebook’s Privacy Program 
are described below. The below assertions have corresponding controls on pages 22-51. 

Assertion A - Responsibility for the Facebook Privacy Program, which is 
“Facebook has designated an employee or employees to coordinate and be responsible 
for the privacy program.” 

Assertion B - Privacy Risk Assessment, which is “Facebook has identified reasonably 
foreseeable, material risks, both internal and external, that could result in Facebook’s 
unauthorized collection, use, or disclosure of covered information and an assessment of the 
sufficiency of any safeguards in place to control these risks. This privacy risk assessment 
includes consideration of risks in areas of relevant operations, including, but not limited to: 

(1) employee training and management, including training on the requirements of this order, 
and (2) product design, development, and research.” 

Assertion C - Privacy and Security Awareness, which is “Facebook has a privacy and 
security awareness program in place which is defined and documented in privacy and security 
for privacy policies. The extent of communications to employees is based on their role and 
responsibility and may include internal communications through various channels and 
training.” 

Assertion D - Transparency, Consent, Access, Use, and Deletion, which is 
“Facebook provides notices and other informational materials about its privacy policies and 
procedures, and about its terms of service. These materials explain the purposes for which 
covered information is collected, used, and deleted and describe the choices available to users. 
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Facebook obtains consent for such practices. Facebook has implemented controls, including a 
Privacy Cross-Functional (“XFN”) process, to ensure that it only collects and uses covered 
information for the purposes identified in the notices and provides users with access to their 
covered information for review and update. Facebook retains covered information for as long 
as necessary to provide services or fulfil the stated purposes, or as required by law or 
regulations, and thereafter appropriately disposes of such information.” 

Assertion E - Security for Privacy, which is “Facebook protects covered information 
of users against unauthorized access.” 

Assertion F - Third-Party Developers, which is “Facebook discloses covered 
information to third-party developers only for the purposes identified in the notices and 
with the implicit or explicit consent of the individual.” 

Assertion G - Service Providers, which is “Facebook has developed and used 
reasonable steps to select and retain service providers capable of appropriately 
protecting the privacy of covered information they receive from the Company and 
requiring service providers, by contract, to implement and maintain appropriate privacy 
protections for such covered information.” 

Assertion H - Ongoing Monitoring of the Privacy Program, which is “Facebook 
evaluates and adjusts the Company’s privacy program in light of the results of 
monitoring activities, any material changes to the Company's operations or business 
arrangements, or any other circumstances that the Company knows or has reason to 
know may have a material impact on the effectiveness of its privacy program.” 

Furthermore, the Company represents that for the Reporting Period, Facebook’s Privacy 
Program contains controls and procedures appropriate to its size and complexity, the nature and 
scope of its activities, and the sensitivity of the covered information. 


Facebook, Inc. 



By: 


Edward Palmieri 

Director and Associate General Counsel, Privacy 
Facebook, Inc. 


1601 Willow Road, Menlo Park, California 94025 
650.543 4800 - tel 650.543.4801 - fax 
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Appendix A - Assessment Interviews Summary 


The primary Facebook individuals interviewed by PwC, as a part of the above Assessment 
procedures, include, but are not limited to, those individuals listed in the table below. 


Title 

Team 

Chief Privacy Officer 

Privacy, Public Policy 

Director and Associate General Counsel, Privacy 

Legal - Privacy and Regulatory 

Lead Counsel, Privacy 

Legal - Privacy and Regulatory 

Privacy and Regulatory Program Manager 

Legal - Privacy and Regulatory 

Associate General Counsel 

Legal - Commercial 

Lead Litigation Paralegal 

Legal - Litigation 

Compliance Specialist 

I^egal - Global Ethics and Compliance 

Compliance Training Program Manager 

Legal - Global Ethics and Compliance 

Privacy Program Manager 

Privacy 

Head of Privacy Program 

Privacy 

Product Specialist 

Community Operations 

Software Engineer 

Security Infrastructure 

Technical Program Manager 

Platform 

Chief Security Officer 

Security* 

Head of Information Security Policy, Risk, and Compliance 

Security 

Security Compliance Manager 

Security 

Security Compliance Analyst 

Security 

Information Security Abuse Investigator 

Security 

Global Contingent Workforce Program Manager 

Human Resources 

Head of US People Operations 

Human Resources 

Global Onboarding Operations 

Human Resources 

Background Check Coordinator 

Human Resources 

Global IT Logistics and Mobile Telecom Leader 

IT Operations Logistics 

Logistics Manager 

IT Operations Logistics 

Global Asset Management Lead 

IT Operations Logistics 

Manager, Operations Program Management 

Infrastructure Support 
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